User behavioral risk assessment

US 9,058,486 B2
Filed: 12/22/2011
Issued: 06/16/2015
Est. Priority Date: 10/18/2011
Status: Active Grant

First Claim

Patent Images

1. At least one non-transitory machine accessible storage medium having instructions stored thereon, the instructions when executed on a machine, cause the machine to:

receive data from a computing device, wherein the data describes;

a plurality of activities detected at the computing device and performed by the particular user while using the computing device, anda potential violation of a particular one of a set of rules, wherein a particular one of the plurality of activities comprises the potential violation, and the potential violation is determined at the computing device;

determine that the potential violation qualifies as a particular use violation in a plurality of pre-defined use violations;

determine a behavioral risk score for the particular user based at least in part on the determination of the particular use violation and one or more other activities in the plurality of activities;

receive data from the computing device identifying a determination by the computing device of a potential violation of a different, second set of rules based on a second activity performed by a second user using the computing device, wherein application of the second set of rules is based at least in part on identification of the second user using the computing device; and

determine whether the potential violation of the second set of rules qualifies as at least one use violation in the plurality of pre-defined use violations.

View all claims

12 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A particular activity performed by a particular user of a computing device is identified, for instance, by an agent installed on the computing device. It is determined that the particular activity qualifies as a particular use violation in a plurality of pre-defined use violations. A behavioral risk score for the particular score for the user is determined based at least in part on the determination that the particular activity of the particular user qualifies as a particular use violation. Determining that the particular activity qualifies as a particular use violation can include determining that the particular activity violates a particular rule or event trigger corresponding to a particular pre-defined use violation.

36 Citations

View as Search Results

27 Claims

1. At least one non-transitory machine accessible storage medium having instructions stored thereon, the instructions when executed on a machine, cause the machine to:
- receive data from a computing device, wherein the data describes;
  
  a plurality of activities detected at the computing device and performed by the particular user while using the computing device, anda potential violation of a particular one of a set of rules, wherein a particular one of the plurality of activities comprises the potential violation, and the potential violation is determined at the computing device;
  
  determine that the potential violation qualifies as a particular use violation in a plurality of pre-defined use violations;
  
  determine a behavioral risk score for the particular user based at least in part on the determination of the particular use violation and one or more other activities in the plurality of activities;
  
  receive data from the computing device identifying a determination by the computing device of a potential violation of a different, second set of rules based on a second activity performed by a second user using the computing device, wherein application of the second set of rules is based at least in part on identification of the second user using the computing device; and
  
  determine whether the potential violation of the second set of rules qualifies as at least one use violation in the plurality of pre-defined use violations.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 24, 25, 26, 27)
- - 2. The storage medium of claim 1, wherein the set of rules in one of a plurality of sets of rules and application of the set of rules is based at least in part on identification of the particular user and use of the computing device, wherein the computing device is a particular one of a plurality of computing devices.
  - 3. The storage medium of claim 1, wherein the set of rules is an extensible set of rules adapted to be supplemented and modified by user inputs and at least one rule in the set of rules is a user-defined rule.
  - 4. The storage medium of claim 1, wherein the plurality of pre-defined use violations includes less than all of a set of available pre-defined use violations and the plurality of pre-defined use violations is a first set of pre-defined use violations identified as corresponding to the particular user.
  - 5. The storage medium of claim 4, wherein the particular user is one of a plurality of users including a second user, wherein a second set of pre-defined use violations correspond to the second user and the second set of pre-defined use violations does not include the particular use violations, wherein performance of the particular activity by the second user does not qualify as a use violation.
  - 6. The storage medium of claim 4, wherein the first set of pre-defined use violations is identified as corresponding to the particular user based at least in part on at least one of a tenure of the particular user in an organization, a role of the particular user in an organization, a title of the particular user in an organization, a geographical location of the particular user, and a risk profile of the particular user.
  - 7. The storage medium of claim 4, wherein the first set of pre-defined violations are identified as also corresponding to the computing device, the computing device included in a plurality of computing devices in a computing system.
  - 8. The storage medium of claim 1, wherein the behavioral score includes sub-scores representing reputation of the particular user in each of a plurality of use categories.
  - 9. The storage medium of claim 8, wherein the plurality of use categories includes at least one of user email use reputation, user Internet use reputation, user authentication risk reputation, user external memory device use reputation, and user shared system resource use reputation.
  - 10. The storage medium of claim 1, wherein the instructions, when executed, further cause the machine to trigger at least one countermeasure to counter risk associated with the particular use violation, the countermeasure triggered in response to determining that the particular activity qualifies as the particular use violation.
  - 11. The storage medium of claim 10, wherein triggering the countermeasure includes identifying that the particular use violation exceeds a particular threshold.
  - 12. The storage medium of claim 11, wherein the particular threshold is at least one of a time-based threshold identifying a length of time of the particular use violation, a repetition-based threshold identifying a number of repeated instances of the particular use violation by the particular user, a time-of-day threshold, and a severity-based threshold identifying a determined severity of the particular use violation.
  - 13. The storage medium of claim 1, wherein a software-implemented agent installed on the computing device detects the particular activity and sends information to a remote user behavioral risk analysis engine describing the detected particular activity.
  - 14. The storage medium of claim 1, wherein the user behavioral risk analysis engine further uses corroborating data received from a security tool monitoring activities of the computing device remote from the computing device to determine that the particular activity qualifies as the particular use violation.
  - 15. The storage medium of claim 1, wherein the instructions, when executed, further cause the machine to determine an identity of the particular user in connection with the performance of the particular activity.
  - 16. The storage medium of claim 1, wherein the instructions, when executed, further cause the machine to:
    - identify determination, at a second computing device, of a second potential violation of the set of rules based on a second activity performed by the particular user using the second computing device; and
      
      determine that the second potential violation qualifies as at least one use violation in the plurality of pre-defined use violations;
      
      wherein the behavioral risk score for the particular user is further based, at least in part, on the determination of the at least one use violation.
  - 17. The storage medium of claim 1,wherein a second behavioral risk score is determined for the second user based at least in part on the determination of the at least one use violation in the plurality of pre-defined use violations.
  - 18. The storage medium of claim 1, wherein a behavioral profile is associated with the particular user describing expected tendencies of the particular user during use of a computing system including the computing device, and determination that the particular activity qualifies as a particular use violation in a plurality of pre-defined use violations corroborates a determination that other activity on the computing system associated with the particular user deviates from the behavioral profile.
  - 19. The storage medium of claim 18, wherein the determination that other activity on the computing system associated with the particular user deviates from the behavioral profile is determined from feedback data received from at least one security tool monitoring components of the computing system remote from the computing device.
  - 24. The storage medium of claim 1, wherein the instructions, when executed, further cause the machine to serve the set of rules to the computing device to be used at the computing device in determining potential violations of the set of rules of user activities detected at the computing device.
  - 25. The storage medium of claim 24, wherein the instructions, when executed, further cause the machine to identify that the particular user is a user of the computing device and identifying that the computing device is of a particular type, wherein the set of rules corresponds to use of the particular type of computing device by the particular user.
  - 26. The storage medium of claim 1, wherein the instructions, when executed, further cause the machine to:
    - receive data from a security tool remote from the computing device, wherein the data from the security tool describes a security event detected by the security tool from data communicated over a network, wherein the data communicated over the network is identified as associated with the particular user, and the behavioral risk score for the particular user is further based on the security event.
  - 27. The storage medium of claim 1, wherein the instructions, when executed, further cause the machine to identify security attributes of the computing device, wherein the behavioral risk score comprises a score for a pairing of the particular user and the computing device and is further based on the identified security attributes of the computing device.

20. A method comprising:
- receiving data from a computing device, wherein the data describes;
  
  a plurality of activities detected at the computing device and performed by the particular user while using the computing device, anda potential violation of a particular one of a set of rules, wherein a particular one of the plurality of activities comprises the potential violation, and the potential violation is determined at the computing device;
  
  determining that the potential violation qualifies as a particular use violation in a plurality of pre-defined use violations;
  
  determining a behavioral risk score for the particular user based at least in part on the determination of the particular use violation and one or more other activities in the plurality of activities;
  
  receiving data from the computing device identifying a determination by the computing device of a potential violation of a different, second set of rules based on a second activity performed by a second user using the computing device, wherein application of the second set of rules is based at least in part on identification of the second user using the computing device; and
  
  determining whether the potential violation of the second set of rules qualifies as at least one use violation in the plurality of pre-defined use violations.

21. A system comprising:
- at least one processor device;
  
  at least one memory element; and
  
  a user behavioral risk analysis tool, adapted when executed by the at least one processor device to;
  
  receive first data from a computing device, wherein the first data describes;
  
  a plurality of activities detected at the computing device and performed by the particular user while using the computing device, anda potential violation of a particular one of a set of rules, wherein a particular one of the plurality of activities comprises the potential violation, and the potential violation is determined at the computing device;
  
  determine that the potential violation qualifies as a particular use violation in a plurality of pre-defined use violations;
  
  determine a behavioral risk score for the particular user based at least in part on the determination of the particular use violation and one or more other activities in the plurality of activities;
  
  receive second data from the computing device identifying a determination by the computing device of a potential violation of a different, second set of rules based on a second activity performed by a second user using the computing device, wherein application of the second set of rules is based at least in part on identification of the second user using the computing device; and
  
  determine whether the potential violation of the second set of rules qualifies as at least one use violation in the plurality of pre-defined use violations.
- View Dependent Claims (22, 23)
- - 22. The system of claim 21, wherein the first and second data is received from an agent installed on the particular computing device, wherein the agent detected the particular activity.
  - 23. The system of claim 21, wherein the user behavioral risk analysis tool is further adapted to:
    - identify a predetermined particular behavioral profile associated with the particular user, the particular behavioral profile describing expected tendencies of the particular user during use of a computing system including the particular computing device;
      
      identify, from feedback data received from one or more security tools, at least one activity of the particular user using the computing system;
      
      determine that the at least one activity deviates from the particular behavioral profile; and
      
      identify a correlation between the determined deviation from the particular behavioral profile and the particular use violation determined from the detected particular activity.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Moyle, Michael Mason, Schrecker, Sven, Basavapatna, Prasanna Ganapathi
Primary Examiner(s)
SHOLEMAN, ABU S

Application Number

US13/334,474
Publication Number

US 20130097701A1
Time in Patent Office

1,272 Days
Field of Search

726 22- 25, 726/1, 726/2, 726/7, 705/1, 705/7, 713/150, 713/152, 713/164, 713/166
US Class Current

1/1
CPC Class Codes

G06F 21/552   involving long-term monitor...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

User behavioral risk assessment

First Claim

12 Assignments

0 Petitions

Accused Products

Abstract

36 Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

User behavioral risk assessment

First Claim

12 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

36 Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links